Tech Tuesday: Pursuing a Career as a Security Researcher

Have some of my posts about security vulnerabilities and exploits piqued your curiosity? Are you more than interested in learning everything you can about security? You can turn your natural curiosity into a profession with the right training and practice. And that profession is security researcher. Searches on LinkedIn, Indeed.com, and Glassdoor indicate that the world needs security researchers and is willing to pay them some pretty good money.

I might argue that security researcher is not a profession – it is a calling. To do it right, you’ll have to live and breathe security because ideas and research don’t merely take place during business hours. You will stop and notice details others pass by blissfully. Convenience will be scrutinized. Friends and family may think you’re over-cautious, if not a tad paranoid. Security will be considered with every purchase, every upgrade, every ketystroke. If you’re not that into security, then move on.

If you are, then this just might be the beginning of the rest of your life.

You know already if you have what it takes to be a security researcher – an insatiable curiosity about all things that keep you and your data safe. I gave some examples of this curiosity in my last post. The rest of it – methodology, knowledge, mechanics, industry connections, training, certifications – are mere details compared to your voracious need to rip everything apart, figure out whether or not it is secure, and if it is secure learn how they did and if it isn’t secure learn how to make it so.

Building a Solid Foundation

A security researcher is most likely a member of a larger security team that plays a role in developing or implementing hardware or software products. The security researcher, like all researchers, is constantly reading about new discoveries in his field and formulating and testing theories about how they apply to his work. Also, like most research positions, security researchers need to have demonstrated a basic understanding of the field and exhibited very good communication skills. They are therefore required to have at least a bachelor’s degree in computer science, if not a master’s or PhD.

In the case of security, real world experience must go hand-in-hand with academic prowess. Sitting in a classroom learning how to code is not the same as reverse-engineering applications and discovering what makes them vulnerable. Taking a class about network security is a great way to get your feet wet. Building a network, penetration testing it, and protecting it are better. Finding vulnerabilities in applications, coding an exploit, and contacting the manufacturer is another way to gain real-world experience.

Certifications go a long way towards convincing potential employers that you know what you’re talking about. My CISSP has proven invaluable as a security credential – I wish I had a dollar for every time I’ve heard “I know that I can talk tech with you because you’ve got a CISSP”. Other important certifications include Certified Ethical Hacker (CEH), Certified Penetration Tester (CPT), Certified Computer Forensics Examiner (CCFE), and Certified Reverse Engineering Analyst (CREA). Stratford University offers training and certification for many of these certifications, including one for Certified Information Systems Auditor (CISA), certification that is recognized around the world that assures vendors of your competency in auditing IT systems and infrastructures, assessing vulnerabilities, and reporting compliance with enterprise strandards.

A Day in the Life (Nothing Like TV or the Movies)

A security researcher’s specific job duties vary based on the products he or she works with. Some spend the day elbows deep in custom application code, some are up to their eyes in malware, and others have their noses in the TCP/IP stack. As you’re exposed to more technology, you’ll learn what most interests you and you’ll gravitate towards that. I tend to play in multiple realms, but for me it always comes back to analyzing and securing network traffic and devices.

Staying on top of the vulnerability landscape is essential. Reading the latest vulnerabilities and exploits on sites like Dark Reading, Threatpost, Hacker News, and US-CERT , and learning to apply this knowledge to what you’re working on is going to be a large part of your job. Publicly available information is the tip of the iceberg – prepare to wade into the darkest depths of the Internet like the dark web, IRC, chat rooms, mailing lists, and anywhere else applicable. In many cases, you’ll be responsible for taking this information, educating your peers, and preparing counter-measures proactively.

You’ll spend most of your day in the lab, analyzing and documenting vulnerabilities and exploits. You’re most likely to take something secure and attack it, either using a penetration testing tool or exploit code. You’ll document the specific attack capabilities of the specimen (code, malware, exploit in the pen test tool) with a keen eye towards understanding the big picture concepts of the exploit scenario. Understanding the concepts is far more important than merely knowing how to launch scripts if you want to be a security researcher and not a mere script kiddy. Concepts are your future, scripts are the mechanics that help get you there.

Being able to explain what you did so that others can repeat it is a critical skill. You’ll work independently most of the time, but research is collaborative. Being able to communicate your findings clearly and concisely will be almost as important as your organizational and leadership skills as you move forward in your career. You’ll be writing plenty of technical reports, maybe even as many reports as code. Most of these reports will be internal only, but there’s a good chance that some (or at least parts of some) may be released publicly.

As you progress in your career, you may be called on to play a more public role as a security evangelist. You might blog about threats, speak to or work with the media, speak at conferences, or write longer research papers. This could potentially magnify your impact on the security community, but it’s up to you to decide which path you take. I know plenty of brilliant security researchers who would gladly turn down a speaking opportunity in order to spend more time in the lab.

Passion Makes Perfection

The tasks performed by security researchers vary greatly. No matter your area of expertise or whether you’re in academia or business, it will all boil down to your passion for security. You can’t learn passion, you can only culture it. You start with a passion and a burning thirst for knowledge and to that you add conceptual knowledge, technique, and excellent communication skills.

Once you learn how to harness your passion for security I guarantee that you’ll never be bored at work again.

Matthew David Sarrel has been practicing and writing about network and information security for over 20 years. He is Executive Director of Sarrel Group, an editorial services/content marketing, product test lab, and information technology consulting company. He is a Contributing Editor for PCMag.com, Triple-G Editor for Backayard Magazine, and contributor to Infoworld, Programmable Web, and numerous other sites and publications. Previously, he was a technical director for PC Magazine Labs. Prior to joining PC Magazine, he served as VP of Engineering and IT Manager at two Internet startups. Earlier, he spent almost 10 years providing IT solutions in HIV-and-TB-related medical research settings at the New Jersey Medical School. Mr. Sarrel has a BA (History) from Cornell University, an MPH (Epidemiology) from Columbia University, and is also a Certified Information Systems Security Professional (CISSP). Mr. Sarrel has written for and spoken to numerous international audiences about information technology and information security. He participated as an expert in two Federal Trade Commission workshops, one about spam in 2003 and one about spyware in 2004. Follow Matt on Twitter. Follow his adventures with Elvis the information security French bulldog on Instagram.

Stratford University, in association with Key Cybersecurity, is offering CISSP, CISA and CEH training and certification courses at many of its Northern Virginia campuses. We will be providing students the hands-on experience with state of the art security solutions like HeurekaCyber’s Cyber Armor and others. Join us at http://www.stratford.edu/cyber in becoming the first line of defense in cybersecuity.